# Nmap Summary (ESP)

{{#include ../../banners/hacktricks-training.md}}


```
nmap -sV -sC -O -n -oA nmapscan 192.168.0.1/24
```

## Parameters

### IPs to scan

- **`<ip>,<net/mask>`:** Indicate the ips directly
- **`-iL <ips_file>`:** list_IPs
- **`-iR <number>`**: Number of random Ips, you can exclude possible Ips with `--exclude <Ips>` or `--excludefile <file>`.

### Equipment discovery

By default Nmap launches a discovery phase consisting of: `-PA80 -PS443 -PE -PP`

- **`-sL`**: It is not invasive, it lists the targets making **DNS** requests to resolve names. It is useful to know if for example www.prueba.es/24 all Ips are our targets.
- **`-Pn`**: **No ping**. This is useful if you know that all of them are active (if not, you could lose a lot of time, but this option also produces false negatives saying that they are not active), it prevents the discovery phase.
- **`-sn`** : **No port scan**. After completing the reconnaissance phase, it does not scan ports. It is relatively stealthy, and allows a small network scan. With privileges it sends an ACK (-PA) to 80, a SYN(-PS) to 443 and an echo request and a Timestamp request, without privileges it always completes connections. If the target is the network, it only uses ARP(-PR). If used with another option, only the packets of the other option are dropped.
- **`-PR`**: **Ping ARP**. It is used by default when analyzing computers in our network, it is faster than using pings. If you do not want to use ARP packets use `--send-ip`.
- **`-PS <ports>`**: It sends SYN packets to which if it answers SYN/ACK it is open (to which it answers with RST so as not to end the connection), if it answers RST it is closed and if it does not answer it is unreachable. In case of not having privileges, a total connection is automatically used. If no ports are given, it throws it to 80.
- **`-PA <ports>`**: Like the previous one but with ACK, combining both of them gives better results.
- **`-PU <ports>`**: The objective is the opposite, they are sent to ports that are expected to be closed. Some firewalls only check TCP connections. If it is closed it is answered with port unreachable, if it is answered with another icmp or not answered it is left as destination unreachable.
- **`-PE, -PP, -PM`** : ICMP PINGS: echo replay, timestamp and addresmask. They are launched to find out if the target is active.
- **`-PY<ports>`**: Sends SCTP INIT probes to 80 by default, INIT-ACK(open) or ABORT(closed) or nothing or ICMP unreachable(inactive) can be replied.
- **`-PO <protocols>`**: A protocol is indicated in the headers, by default 1(ICMP), 2(IGMP) and 4(Encap IP). For ICMP, IGMP, TCP (6) and UDP (17) protocols the protocol headers are sent, for the rest only the IP header is sent. The purpose of this is that due to the malformation of the headers, Protocol unreachable or responses of the same protocol are answered to know if it is up.
- **`-n`**: No DNS
- **`-R`**: DNS always

### Port scanning techniques

- **`-sS`**: Does not complete the connection so it leaves no trace, very good if it can be used.(privileges) It is the one used by default.
- **`-sT`**: Completes the connection, so it does leave a trace, but it can be used for sure. By default without privileges.
- **`-sU`**: Slower, for UDP. Mostly: DNS(53), SNMP(161,162), DHCP(67 and 68), (-sU53,161,162,67,68): open(reply), closed(port unreachable), filtered (another ICMP), open/filtered (nothing). In case of open/filtered, -sV sends numerous requests to detect any of the versions that nmap supports and can detect the true state. It increases a lot the time.
- **`-sY`**: SCTP protocol fails to establish the connection, so there are no logs, works like -PY
- **`-sN,-sX,-sF`:** Null, Fin, Xmas, they can penetrate some firewalls and extract information. They are based on the fact that standard compliant machines should respond with RST all requests that do not have SYN, RST or ACK lags raised: open/filtered(nothing), closed(RST), filtered (ICMP unreachable). Unreliable on WIndows, CIsco, BSDI and OS/400. On unix yes.
- **`-sM`**: Maimon scan: Sends FIN and ACK flags, used for BSD, currently will return all as closed.
- **`-sA, sW`**: ACK and Window, is used to detect firewalls, to know if the ports are filtered or not. The -sW does distinguish between open/closed since the open ones respond with a different window value: open (RST with window other than 0), closed (RST window = 0), filtered (ICMP unreachable or nothing). Not all computers work this way, so if it is all closed, it is not working, if it is a few open, it is working fine, and if it is many open and few closed, it is working the other way around.
- **`-sI`:** Idle scan. For the cases in which there is an active firewall but we know that it does not filter to a certain Ip (or when we simply want anonymity) we can use the zombie scanner (it works for all the ports), to look for possible zombies we can use the scrpit ipidseq or the exploit auxiliary/scanner/ip/ipidseq. This scanner is based on the IPID number of the IP packets.
- **`--badsum`:** It sends the sum wrong, the computers would discard the packets, but the firewalls could answer something, it is used to detect firewalls.
- **`-sZ`:** "Weird" SCTP scanner, when sending probes with cookie echo fragments they should be dropped if open or responded with ABORT if closed. It can pass through firewalls that init does not pass through, the bad thing is that it does not distinguish between filtered and open.
- **`-sO`:** Protocol Ip scan. Sends bad and empty headers in which sometimes not even the protocol can be distinguished. If ICMP unreachable protocol arrives it is closed, if unreachable port arrives it is open, if another error arrives, filtered, if nothing arrives, open|filtered.
- **`-b <server>`:** FTPhost--> It is used to scan a host from another one, this is done by connecting the ftp of another machine and asking it to send files to the ports that you want to scan from another machine, according to the answers we will know if they are open or not. \[\<user>:\<password>@]\<server>\[:\<port>] Almost all ftps servers no longer let you do this and therefore it is of little practical use.

### **Focus Analysis**

**-p:** Used to specify ports to scan. To select all 65,335 ports: **-p-** or **-p all**. Nmap has an internal classification based on popularity. By default, it uses the top 1000 ports. With **-F** (fast scan) it analyzes the top 100. With **--top-ports <number>** it analyzes that number of top ports (from 1 to 65,335). It checks ports in random order; to prevent this, use **-r**. We can also select specific ports: 20-30,80,443,1024- (the latter means to look from 1024 onwards). We can also group ports by protocols: U:53,T:21-25,80,139,S:9. We can also choose a range within Nmap's popular ports: -p [-1024] analyzes up to port 1024 from those included in nmap-services. **--port-ratio <ratio>** Analyzes the most common ports within a ratio between 0 and 1

**-sV** Version scanning, intensity can be regulated from 0 to 9, default is 7.

**--version-intensity <number>** We regulate the intensity, so that the lower it is, it will only launch the most probable probes, but not all. With this, we can considerably shorten UDP scanning time

**-O** OS detection

**--osscan-limit** For proper host scanning, at least one open port and one closed port are needed. If this condition isn't met and we've set this, it won't attempt OS prediction (saves time)

**--osscan-guess** When OS detection isn't perfect, this makes it try harder

**Scripts**

--script _<filename>_|_<category>_|_<directory>_|_<expression>_[,...]

To use default scripts, use -sC or --script=default

Available types are: auth, broadcast, default, discovery, dos, exploit, external, fuzzer, intrusive, malware, safe, version, and vuln

- **Auth:** executes all available authentication scripts
- **Default:** executes basic default tool scripts
- **Discovery:** retrieves information from the target or victim
- **External:** script for using external resources
- **Intrusive:** uses scripts considered intrusive to the victim or target
- **Malware:** checks for connections opened by malicious code or backdoors
- **Safe:** executes non-intrusive scripts
- **Vuln:** discovers the most known vulnerabilities
- **All:** executes absolutely all available NSE extension scripts

To search for scripts:

**nmap --script-help="http-\*" -> Those starting with http-**

**nmap --script-help="not intrusive" -> All except those**

**nmap --script-help="default or safe" -> Those in either or both**

**nmap --script-help="default and safe" --> Those in both**

**nmap --script-help="(default or safe or intrusive) and not http-\*"**

--script-args _<n1>_=_<v1>_,_<n2>_={_<n3>_=_<v3>_},_<n4>_={_<v4>_,_<v5>_}

--script-args-file _<filename>_

--script-help _<filename>_|_<category>_|_<directory>_|_<expression>_|all[,...]

--script-trace ---> Provides info on how the script is progressing

--script-updatedb

**To use a script, just type: nmap --script Script_Name target** --> When using the script, both the script and scanner will execute, so scanner options can also be added. We can add **"safe=1"** to execute only safe ones.

**Time Control**

**Nmap can modify time in seconds, minutes, ms:** --host-timeout arguments 900000ms, 900, 900s, and 15m all do the same thing.

Nmap divides the total number of hosts to scan into groups and analyzes these groups in blocks, so it doesn't move to the next block until all have been analyzed (and the user doesn't receive any updates until the block has been analyzed). This way, it's more optimal for Nmap to use large groups. By default in class C, it uses 256.

This can be changed with **--min-hostgroup** _**<numhosts>**_**;** **--max-hostgroup** _**<numhosts>**_ (Adjust parallel scan group sizes)

You can control the number of parallel scanners but it's better not to (Nmap already incorporates automatic control based on network status): **--min-parallelism** _**<numprobes>**_**;** **--max-parallelism** _**<numprobes>**_

We can modify the RTT timeout, but it's usually not necessary: **--min-rtt-timeout** _**<time>**_**,** **--max-rtt-timeout** _**<time>**_**,** **--initial-rtt-timeout** _**<time>**_

We can modify the number of attempts: **--max-retries** _**<numtries>**_

We can modify the scanning time of a host: **--host-timeout** _**<time>**_

We can modify the time between each test to slow it down: **--scan-delay** _**<time>**_**;** **--max-scan-delay** _**<time>**_

We can modify the number of packets per second: **--min-rate** _**<number>**_**;** **--max-rate** _**<number>**_

Many ports take a long time to respond when filtered or closed. If we're only interested in open ones, we can go faster with: **--defeat-rst-ratelimit**

To define how aggressive we want Nmap to be: -T paranoid|sneaky|polite|normal|aggressive|insane

-T (0-1)

-T0 --> Only scans 1 port at a time and waits 5min until the next

-T1 and T2 --> Very similar but only wait 15 and 0.4sec respectively between each test

-T3 --> Default operation, includes parallel scanning

-T4 --> --max-rtt-timeout 1250ms --min-rtt-timeout 100ms --initial-rtt-timeout 500ms --max-retries 6 --max-scan-delay 10ms

-T5 --> --max-rtt-timeout 300ms --min-rtt-timeout 50ms --initial-rtt-timeout 250ms --max-retries 2 --host-timeout 15m --max-scan-delay 5ms

**Firewall/IDS**

They don't allow access to ports and analyze packets.

**-f** To fragment packets, by default fragments them into 8bytes after the header, to specify that size we use ..mtu (with this, don't use -f), the offset must be multiple of 8. **Version scanners and scripts don't support fragmentation**

**-D decoy1,decoy2,ME** Nmap sends scanners but with other IP addresses as origin, this way they hide you. If you put ME in the list, Nmap will place you there, better to put 5 or 6 before you to completely mask you. Random IPs can be generated with RND:<number> To generate <number> of random IPs. They don't work with TCP version detectors without connection. If you're inside a network, you're interested in using active IPs, as otherwise it will be very easy to figure out that you are the only active one.

To use random IPs: nmap -D RND:10 Target_IP

**-S IP** For when Nmap doesn't catch your IP address you have to give it with this. Also serves to make them think another target is scanning them.

**-e <interface>** To choose the interface

Many administrators leave entry ports open for everything to work correctly and it's easier for them than finding another solution. These can be DNS ports or FTP ports... to find this vulnerability Nmap incorporates: **--source-port** _**<portnumber>**_**;-g** _**<portnumber>**_ _They are equivalent_

**--data** _**<hex string>**_ To send hexadecimal text: --data 0xdeadbeef and --data \xCA\xFE\x09

**--data-string** _**<string>**_ To send normal text: --data-string "Scan conducted by Security Ops, extension 7192"

**--data-length** _**<number>**_ Nmap only sends headers, with this we achieve adding a number of more bytes (which will be generated randomly)

To configure the IP packet completely use **--ip-options**

If you wish to see the options in packets sent and received, specify --packet-trace. For more information and examples of using IP options with Nmap, see [http://seclists.org/nmap-dev/2006/q3/52](http://seclists.org/nmap-dev/2006/q3/52).

**--ttl** _**<value>**_

**--randomize-hosts** To make the attack less obvious

**--spoof-mac** _**<MAC address, prefix, or vendor name>**_ To change the MAC examples: Apple, 0, 01:02:03:04:05:06, deadbeefcafe, 0020F2, and Cisco

**--proxies** _**<Comma-separated list of proxy URLs>**_ To use proxies, sometimes a proxy doesn't maintain as many open connections as Nmap wants so parallelism would need to be modified: --max-parallelism

**-sP** To discover hosts in our network by ARP

Many administrators create a firewall rule that allows all packets coming from a particular port to pass through (like 20,53 and 67), we can tell Nmap to send our packets from these ports: **nmap --source-port 53 IP**

**Outputs**

**-oN file** Normal output

**-oX file** XML output

**-oS file** Script kiddies output

**-oG file** Greppable output

**-oA file** All except -oS

**-v level** verbosity

**-d level** debugging

**--reason** Why of host and state

**--stats-every time** Every that time tells us how it's going

**--packet-trace** To see which packets go out, filters can be specified like: --version-trace or --script-trace

**--open** shows open, open|filtered and unfiltered

**--resume file** Outputs a summary

**Miscellaneous**

**-6** Allows IPv6

**-A** is the same as -O -sV -sC --traceroute

**Run time**

While Nmap is running we can change options:

v / V Increase / decrease the verbosity level

d / D Increase / decrease the debugging Level

p / P Turn on / off packet tracing

? Print a runtime interaction help screen

**Vulscan**

Nmap script that looks at versions of services obtained in an offline database (downloaded from other very important ones) and returns possible vulnerabilities

The DBs it uses are:

1. Scipvuldb.csv | [http://www.scip.ch/en/?vuldb](http://www.scip.ch/en/?vuldb)
2. Cve.csv | [http://cve.mitre.org](http://cve.mitre.org/)
3. Osvdb.csv | [http://www.osvdb.org](http://www.osvdb.org/)
4. Securityfocus.csv | [http://www.securityfocus.com/bid/](http://www.securityfocus.com/bid/)
5. Securitytracker.csv | [http://www.securitytracker.com](http://www.securitytracker.com/)
6. Xforce.csv | [http://xforce.iss.net](http://xforce.iss.net/)
7. Exploitdb.csv | [http://www.exploit-db.com](http://www.exploit-db.com/)
8. Openvas.csv | [http://www.openvas.org](http://www.openvas.org/)

To download and install in the Nmap folder:

wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar -czvf nmap_nse_vulscan-2.0.tar.gz vulscan/ && sudo cp -r vulscan/ /usr/share/nmap/scripts/

You would also need to download the DB packages and add them to /usr/share/nmap/scripts/vulscan/

Usage:

To use all: sudo nmap -sV --script=vulscan HOST_TO_SCAN

To use a specific DB: sudo nmap -sV --script=vulscan --script-args vulscandb=cve.csv HOST_TO_SCAN

## Speed Up Nmap Service scan x16

According [**to this post**](https://joshua.hu/nmap-speedup-service-scanning-16x) you can speed up the nmap service analysis by modifying all the **`totalwaitms`** values in **`/usr/share/nmap/nmap-service-probes`** to **300** and **`tcpwrappedms`** to **200**.

Moreover, probes which do not have a specifically defined **`servicewaitms`** use a default value of **`5000`**. Therefore, we can either add values to each of the probes, or we can **compile nmap** ourselves and change the default value in [**service_scan.h**](https://github.com/nmap/nmap/blob/master/service_scan.h#L79).

If you don't want to change the values of **`totalwaitms`** and **`tcpwrappedms`** at all in the `/usr/share/nmap/nmap-service-probes` file, you can edit the [parsing code](https://github.com/nmap/nmap/blob/master/service_scan.cc#L1358) such that these values in the `nmap-service-probes` file are completely ignored.


{{#include ../../banners/hacktricks-training.md}}